Annotation of metadata through capture infrastructure

ABSTRACT

A method, apparatus and system annotation of meta-data through a capture infrastructure are disclosed. In one embodiment, a method of a client device includes applying an automatic content recognition algorithm to determine a content identifier of an audio-visual data. The client device then associates the content identifier with an advertisement data based on a semantic correlation between a meta-data of the advertisement provided by a content provider and/or the content identifier. A capture infrastructure annotates the audio-visual data with a brand name and/or a product name by comparing entries in the master database with a closed captioning data of the audio-visual data and/or through an application of an optical character recognition algorithm in the audio-visual data. The content identifier may involve a music identification, an object identification, a facial identification, and/or a voice identification. A minimal functionality including accessing a tuner and/or a stream decoder that identifies a channel and/or a content may be found in the networked media device. The networked media device may produce an audio fingerprint and/or a video fingerprint that is communicated with the capture infrastructure.

CLAIM OF PRIORITY

This disclosure claims priority to, and incorporates herein by referencethe entire specification of U.S. Provisional Patent application No.61/118,286 filed Nov. 26, 2008 and titled DISCOVERY, ACCESS CONTROL, ANDCOMMUNICATION WITH NETWORKED SERVICES FROM WITHIN A SECURITY SANDBOX.

This disclosure claims priority to, and incorporates herein by referencethe entire specification of U.S. Continuation application Ser. No.13/470,814 filed May 14, 2012 and titled DISCOVERY, ACCESS CONTROL, ANDCOMMUNICATION WITH NETWORKED SERVICES FROM WITHIN A SECURITY SANDBOX.This disclosure further claims priority to, and incorporates herein byreference the entire specification of U.S. Continuation application No.12/592,377 filed Nov. 23, 2009 and titled DISCOVERY, ACCESS CONTROL, ANDCOMMUNICATION WITH NETWORKED SERVICES FROM WITHIN A SECURITY SANDBOX.

This disclosure claims priority to, and incorporates herein by referencethe entire specification of U.S. Provisional Patent application No.61/584,168 filed Jan. 6, 2012 and titled CAPTURING CONTENT FOR DISPLAYON A TELEVISION.

This disclosure claims priority to, and incorporates herein by referencethe entire specification of U.S. Provisional Patent application No.61/696,711 filed Sep. 4, 2012 and titled SYSTEMS AND METHODS FORRECOGNIZING CONTENT.

This disclosure claims priority to, and incorporates herein by referencethe entire specification of U.S. Utility patent application Ser. No.13/736,031 filed Jan. 7, 2013 and titled ZERO CONFIGURATIONCOMMUNICATION BETWEEN A BROWSER AND A NETWORKED MEDIA DEVICE.

FIELD OF TECHNOLOGY

This disclosure relates generally to the technical field of networking,and in one example embodiment, this disclosure relates to a method, anapparatus, and a system of annotation of meta-data through a captureinfrastructure.

BACKGROUND

A user may access a mobile communication device while watchingtelevision. An advertisement presented to the user on the mobilecommunication device may be independent of the content being viewed onthe television. For example, the user may be watching a television showabout car washes. However, advertisements displayed on the mobile devicemay have nothing to do with water, cars, and/or cleanliness. Similarly,advertisements displayed on the television may not appreciate a presentactivity of the user when accessing the mobile device. As such, anadvertiser may miss key marketing opportunities to the user to deliverhighly targeted and relevant advertising to the user.

SUMMARY

An apparatus and a system of annotation of meta-data through a captureinfrastructure are disclosed. In one aspect, a method of a client deviceincludes applying an automatic content recognition algorithm todetermine a content identifier of an audio-visual data. The clientdevice then associates the content identifier with an advertisement databased on a semantic correlation between a meta-data of the advertisementprovided by a content provider and/or the content identifier. A captureinfrastructure annotates the audio-visual data with a brand name and/ora product name by comparing entries in the master database with a closedcaptioning data of the audio-visual data and/or through an applicationof an optical character recognition algorithm in the audio-visual data.The content identifier may involve a music identification, an objectidentification, a facial identification, and/or a voice identification.A minimal functionality including accessing a tuner and/or a streamdecoder that identifies a channel and/or a content may be found in thenetworked media device. The networked media device may produce an audiofingerprint and/or a video fingerprint that is communicated with thecapture infrastructure.

The capture infrastructure may compare the audio fingerprint and/or thevideo fingerprint with a master database. The capture infrastructure mayfurther annotate the audio-visual data with a logo name by comparingentries in the master database with a logo data of the audio-visual dataidentified using a logo detection algorithm. The capture infrastructuremay automatically divide the audio-visual data into a series of scenesbased on a sematic grouping of actions in the audio-visual data. Theaudio-visual data may be analyzed in advance of a broadcast to determinecontent identifiers associated with each commercial in the audio-visualdata such that advertisements are pre-inserted into the audio-visualdata prior to broadcast.

The capture infrastructure may apply a time-order algorithm toautomatically match advertisements to the audio-visual data when acorrelation pattern is identified by the capture infrastructure withother audio-visual content previously analyzed. The captureinfrastructure may include a buffer that is saved to a persistentstorage and/or for which a label is generated to facilitateidentification of reoccurring sequences. A post processing operation maybe automated through a post-processing algorithm and/or a crowd-sourcedoperation using a plurality of users in which a turing test is appliedto determine a veracity of an input.

A device pairing algorithm may be used in which a cookie data associatedwith a web page visited by the user stored on a browser on the clientdevice is paired with the networked media device when the client deviceis communicatively coupled with the networked media device. A transitivepublic IP matching algorithm may be utilized in which the client deviceand/or the networked media device communicates each public IP addresswith any paired entity to the capture infrastructure. A tag that isunconstrained from a same-origin policy may be used to automaticallyload the advertisement in the browser, the tag is an image tag, a frame,a iframe, and/or a script tag.

An additional metadata including the content identifier and/or theadvertisement based on a video processing algorithm may be referenced.The additional meta data may be a title, a description, a thumbnail, aname of an individual, and/or a historical data. The additional metadatamay be determined from a browser history captured from the client devicebased on a capture policy, and/or correlating a relevance of the browserhistory with the content identifier and/or the advertisement.

In another aspect, a method of a networked device includes applying anautomatic content recognition algorithm to determine a contentidentifier of an audio-visual data, and associating the contentidentifier with an advertisement data based on a semantic correlationbetween a meta-data of the advertisement provided by a content providerand/or the content identifier. In this other aspect, a captureinfrastructure annotates the audio-visual data with a brand name and/ora product name by comparing entries in the master database with a closedcaptioning data of the audio-visual data and/or through an applicationof an optical character recognition algorithm in the audio-visual data.

In yet another aspect, a system includes a networked device and/or aclient device to apply an automatic content recognition algorithm todetermine a content identifier of an audio-visual data and/or toassociate the content identifier with an advertisement data based on asemantic correlation between a meta-data of the advertisement providedby a content provider and/or the content identifier. The system alsoincludes a capture infrastructure to annotate the audio-visual data witha brand name and/or a product name by comparing entries in the masterdatabase with a closed captioning data of the audio-visual data and/orthrough an application of an optical character recognition algorithm inthe audio-visual data.

The methods, system, and/or apparatuses disclosed herein may beimplemented in any means for achieving various aspects, and may beexecuted in a form of machine readable medium embodying a set ofinstruction that, when executed by a machine, causes the machine toperform any of the operations disclosed herein. Other features will beapparent from the accompanying drawing and from the detailed descriptionthat follows.

BRIEF DESCRIPTION OF DRAWINGS

Example embodiments are illustrated by way of example and not limitationin the figures of the accompanying drawing, in which like referencesindicate similar elements and in which:

FIG. 1 is a block diagram of a system of automatic bidirectionalcommunication between multiple devices sharing a common network,according to one embodiment.

FIG. 2 is a block diagram of a system of automatic bidirectionalcommunication between a client device 100 and a networked device 102using a server, according to one embodiment.

FIG. 3 is an exploded view of the security sandbox 104, according to oneembodiment.

FIG. 4 is an exploded view of the pairing server 200, according to oneembodiment.

FIG. 5 is an exploded view of the client device 100, according to oneembodiment.

FIG. 6 is a table of example network information stored in a database422 of a pairing server 200, according to one embodiment.

FIG. 7 is a block diagram of a method by which a security sandbox 104can communicate with a sandbox reachable service 114 that previouslyoperated on a shared network 202, according to one embodiment.

FIG. 8 is a schematic diagram of a private network 800 and a privatenetwork 802 communicating over the public Internet via a NAT device 804and a NAT device 806, according to one embodiment.

Other features of the present embodiments will be apparent from theaccompanying drawings and from the detailed description that follows.

DETAILED DESCRIPTION

An apparatus and a system of annotation of meta-data through a captureinfrastructure are disclosed.

In one embodiment, a method of a client device 100 includes applying anautomatic content recognition algorithm (e.g., in the algorithm library107) to determine a content identifier 111 of an audio-visual data(e.g., a movie, a television show, an advertisement, etc.). The clientdevice 100 then associates the content identifier 111 with anadvertisement data 113 based on a semantic correlation between ameta-data of the advertisement (a particular advertisement of theadvertisement data 113) provided by a content provider (e.g., anorganization providing advertisements) and/or the content identifier111. A capture infrastructure 105 annotates the audio-visual data with abrand name and/or a product name by comparing entries in the masterdatabase 109 with a closed captioning data of the audio-visual dataand/or through an application of an optical character recognitionalgorithm (e.g., in the algorithm library 107) in the audio-visual data.The content identifier 111 may involve a music identification, an objectidentification, a facial identification, and/or a voice identification.A minimal functionality including accessing a tuner and/or a streamdecoder that identifies a channel and/or a content may be found in thenetworked media device (e.g., the networked device 102). The networkedmedia device (e.g., the networked device 102) may produce an audiofingerprint and/or a video fingerprint that is communicated with thecapture infrastructure 105.

The capture infrastructure 105 may compare the audio fingerprint and/orthe video fingerprint with a master database 109. The captureinfrastructure 105 may further annotate the audio-visual data with alogo name by comparing entries in the master database 109 with a logodata of the audio-visual data identified using a logo detectionalgorithm (e.g., in the algorithm library 107). The captureinfrastructure 105 may automatically divide the audio-visual data into aseries of scenes based on a sematic grouping of actions in theaudio-visual data. The audio-visual data may be analyzed in advance of abroadcast to determine content identifier 111 s associated with eachcommercial in the audio-visual data such that advertisements arepre-inserted into the audio-visual data prior to broadcast.

The capture infrastructure 105 may apply a time-order algorithm (e.g.,in the algorithm library 107) to automatically match advertisements tothe audio-visual data when a correlation pattern is identified by thecapture infrastructure 105 with other audio-visual content previouslyanalyzed. The capture infrastructure 105 may include a buffer that issaved to a persistent storage and/or for which a label is generated tofacilitate identification of reoccurring sequences. A post processingoperation may be automated through a post-processing algorithm (e.g., inthe algorithm library 107) and/or a crowd-sourced operation using aplurality of users in which a turing test is applied to determine averacity of an input.

A device pairing algorithm (e.g., in the algorithm library 107) may beused in which a cookie data associated with a web page visited by theuser stored on a browser on the client device 100 is paired with thenetworked media device (e.g., the networked device 102) when the clientdevice 100 is communicatively coupled with the networked media device(e.g., the networked device 102). A transitive public IP matchingalgorithm (e.g., in the algorithm library 107) may be utilized in whichthe client device 100 and/or the networked media device (e.g., thenetworked device 102) communicates each public IP address with anypaired entity to the capture infrastructure 105. A tag that isunconstrained from a same-origin policy may be used to automaticallyload the advertisement in the browser, the tag is an image tag, a frame,a iframe, and/or a script tag.

An additional metadata including the content identifier 111 and/or theadvertisement based on a video processing algorithm (e.g., in thealgorithm library 107) may be referenced. The additional meta data maybe a title, a description, a thumbnail, a name of an individual, and/ora historical data. The additional metadata may be determined from abrowser history captured from the client device 100 based on a capturepolicy, and/or correlating a relevance of the browser history with thecontent identifier 111 and/or the advertisement.

In another embodiment, a method of a networked device includes applyingan automatic content recognition algorithm (e.g., in the algorithmlibrary 107) to determine a content identifier 111 of an audio-visualdata, and associating the content identifier 111 with an advertisementdata 113 based on a semantic correlation between a meta-data of theadvertisement provided by a content provider and/or the contentidentifier 111. In this other aspect, a capture infrastructure 105annotates the audio-visual data with a brand name and/or a product nameby comparing entries in the master database 109 with a closed captioningdata of the audio-visual data and/or through an application of anoptical character recognition algorithm (e.g., in the algorithm library107) in the audio-visual data.

In yet another embodiment, a system includes a networked device and/or aclient device 100 to apply an automatic content recognition algorithm(e.g., in the algorithm library 107) to determine a content identifier111 of an audio-visual data and/or to associate the content identifier111 with an advertisement data 113 based on a semantic correlationbetween a meta-data of the advertisement provided by a content providerand/or the content identifier 111. The system also includes a captureinfrastructure 105 to annotate the audio-visual data with a brand nameand/or a product name by comparing entries in the master database 109with a closed captioning data of the audio-visual data and/or through anapplication of an optical character recognition algorithm (e.g., in thealgorithm library 107) in the audio-visual data.

FIG. 1 is a block diagram of a system of automatic bidirectionalcommunication (e.g., sending and receiving information in bothdirections without prior configuration by a human) between multipledevices sharing a common network, according to one embodiment. FIG. 1shows a client device 100, a networked device 102, a security sandbox104, an executable environment 106, a processor 108, a storage 109, amemory 110, a sandboxed application 112, and a sandbox reachable service114. The client device 100 communicates bidirectionally with thenetworked device 102 of FIG. 1.

According to one embodiment, a client device 100 may be a computer, asmartphone, and/or any other hardware with a program that initiatescontact with a server to make use of a resource. A client device 100 mayconstrain an executable environment 106 in a security sandbox 104,execute a sandboxed application 112 in a security sandbox 104 using aprocessor 108 and a memory 110, and automatically instantiate (e.g.,manifest) a connection (e.g., a complete path between two terminals overwhich two-way communications may be provided) between a sandboxedapplication 112 and a sandbox reachable service 114 of the networkeddevice 102.

According to one embodiment, a networked device 102 may be a television,stereo, game console, another computer, and/or any other hardwareconnected by communications channels that allow sharing of resources andinformation. A networked device 102 may comprise a number of sandboxreachable applications. A networked device 102 may announce a sandboxreachable service 114 using a processor 108 and a memory 110. Accordingto one embodiment, a processor 108 may be a central processing unit(CPU), a microprocessor, and/or any other hardware within a computersystem which carries out the instructions of a program by performing thebasic arithmetical, logical, and input/output operations of the system.According to one embodiment, a memory 110 may be a random access memory(RAM), a read only memory (ROM), a flash memory, and/or any otherphysical devices used to store programs or data for use in a digitalelectronic device.

The security sandbox 104, the processor 108, the storage 109, and thememory 110 each exist within the client device 100 of FIG. 1, and theycommunicate bidirectionally with each other. According to oneembodiment, a security sandbox 104 may be an operating system on whichthe sandboxed application 112 is hosted, a browser application of theoperating system, and/or any other mechanism for separating runningprograms to execute untested code and/or untrusted programs fromunverified third-parties, suppliers, untrusted users, and untrustedwebsites. According to one embodiment, a storage 109 may be a technologyconsisting of computer components and recording media used to retaindigital data.

The executable environment 106 exists within the security sandbox 104 ofFIG. 1. According to one embodiment, an executable environment 106 maybe a virtual machine, a jail, a scripting language interpreter, ascratch space on disk and memory, and/or any other tightly controlledset of resources in which to run guest programs.

The sandboxed application 112 exists within the executable environment106 of FIG. 1. According to one embodiment, a sandboxed application 112may be an untested code, an untrusted program (e.g., from an untrustedweb page), and/or any other software that can be executed with theappropriate runtime environment of the security sandbox 104.

The sandbox reachable service 114 exists within the networked device 102of FIG. 1. According to one embodiment, a sandbox reachable service 114may be a smart television application, a set-top box application, anaudio device application, a game console application, a computerapplication, and/or any other service that can be discovered andcommunicated with from within the sandboxed application 112. FIG. 1 mayencompass constraining a sandbox reachable service 114 in a securitysandbox 104 where it is described sandbox reachable service 114,according to one embodiment. A security sandbox 104 may not allow asandbox reachable service 114 that is constrained in the securitysandbox 104 to open a server socket and receive inbound connections.However, a sandbox reachable service 114 that is constrained in thesecurity sandbox 104 may still announce and be discovered, but allcommunications between a client device 100 and a networked device 102may need to traverse through a relay in a pairing server 200.

FIG. 2 is a block diagram of a system of automatic bidirectionalcommunication between a client device 100 and a networked device 102using a server, according to one embodiment. FIG. 2 shows a clientdevice 100, a networked device 102, a security sandbox 104, anexecutable environment 106, a processor 108, a memory 110, a sandboxedapplication 112, a pairing server 200, a shared network 202, a Wide AreaNetwork (WAN) 204, a devices 206, a global unique identifier (GUID) 208,an alphanumeric name 210, a private address pair 212, a sandboxreachable service 114, an identification data 216, a switch 218, apublic address pair 220, and a hardware address 222.

The client device 100, the networked device 102, and the devices 206communicate bidirectionally with each other through the switch 218 inthe shared network 202. According to one embodiment, a devices 206 maybe a television, a projection screen, a multimedia display, atouchscreen display, an audio device, a weather measurement device, atraffic monitoring device, a status update device, a global positioningdevice, a geospatial estimation device, a tracking device, abidirectional communication device, a unicast device, a broadcastdevice, a multidimensional visual presentation device, and/or any otherdevices with a network interface. According to one embodiment, a switch218 may be a telecommunication device (e.g., a broadcast, multicast,and/or anycast forwarding hardware) that receives a message from anydevice connected to it and then transmits the message only to the devicefor which the message was meant.

According to one embodiment, a shared network 202 may be a local areanetwork, a multicast network, an anycast network, a multilan network, aprivate network (e.g., any network with a private IP space), and/or anyother collection of hardware interconnected by communication channelsthat allow sharing of resources and information. When a sandboxedapplication 112 and a sandbox reachable service 114 communicate in ashared network 202 common to the client device 100 and a networkeddevice 102 when a connection is established, a client device 100 mayeliminate a communication through a centralized infrastructure (e.g., apairing server 200 which may be used only for discovery), minimizelatency in the communication session (e.g., by establishing a connectionbetween a client device 100 and a networked device 102 rather than byrelaying via a pairing server 200), and improve privacy in thecommunication session.

FIG. 2 may encompass establishing a shared network 202 based on abidirectional communication that does not use a relay service where itis described a shared network 202, according to one embodiment. Multiplelocal area networks (LANs) may share a public IP address. A clientdevice 100 may reside on one LAN, and a sandbox reachable service 114may reside on another LAN. A client device 100 may discover a sandboxreachable service by matching public Internet Protocol (IP) addresses.However, a sandbox reachable service 114 that is not constrained to asecurity sandbox 104 may have an unconstrained view (e.g., it may haveaccess to Media Access Control addresses, Address Resolution Protocol,and/or routing tables) of a shared network 202.

A client device 100 may attempt to communicate with a sandbox reachableservice 114 (e.g., by opening a Transmission Control Protocol connectionand/or by sending a User Datagram Protocol datagram) without using arelay service. A shared network 202 may be established if a connectionsuccessfully handshakes, a datagram arrives, and/or the client device100 and the sandbox reachable service 114 otherwise communicatebidirectionally without using a relay service.

FIG. 2 may also encompass establishing a shared network 202 based on adetermination that a client device 100 and a sandbox reachable service114 reside on a same LAN where it is described a shared network 202,according to one embodiment. For example, a networked device 102 maybroadcast ping (e.g., using Internet Control Message Protocol) andlisten for a response from a client device 100.

FIG. 2 may further encompass establishing a shared network 202 by usingan address resolution protocol (e.g., ARP) where it is described ashared network 202, according to one embodiment. A sandbox reachableservice 114 may determine that a client device 100 resides on a same LANif the IP address of the client device 100 can be resolved to a LANaddress using an IP-to-LAN address resolution protocol (e.g., ARP).

The shared network 202 communicates with the pairing server 200 throughthe WAN 204. According to one embodiment, a pairing server 200 may be acomputer hardware system dedicated to enabling communication between asandboxed application 112 and a sandbox reachable service 114. Accordingto one embodiment, a WAN 204 may be the Internet and/or any othertelecommunications network that links across metropolitan, regional,and/or national boundaries using private and/or public transports. Anetworked device 102 may announce an availability of a sandbox reachableservice 114 across a range of public addresses such that a sandboxedapplication 112 communicates with the sandbox reachable service 114 inany one of the range of the public addresses. However, a range of publicaddresses may be known by a pairing server 200 so that the announcementof the availability of a sandbox reachable service 114 across a range ofpublic addresses is unnecessary.

The identification data 216 exists within the sandbox reachable service114 of FIG. 2. According to one embodiment, an identification data 216may be a reference information associated with an application sharing apublic address with a client device 100, a networked device 102, and/ora devices 206 (e.g., to define a network in which the client device 100,the networked device 102, and/or the devices 206 reside). A clientdevice 100 may access a pairing server 200 when processing anidentification data 216 associated with a sandbox reachable service 114sharing a public address with the client device 100. A pairing server200 may perform a discovery lookup of any device that has announced thatit shares a public address associated with the client device 100.Further, a sandbox reachable service 114 may announce itself to apairing server 200 prior to the establishment of a communication sessionbetween a sandboxed application 112 and the sandbox reachable service114.

The GUID 208, the alphanumeric name 210, the private address pair 212,the public address pair 220, and the hardware address 222 each existwithin the identification data 216 of FIG. 2. According to oneembodiment, a GUID 208 may be a 128-bit reference number used bysoftware programs to uniquely identify the location of a data object.For example, FIG. 2 may be applicable to a GUID 208 of a sandboxreachable service 114 and/or a networked device 102 where it isdescribed a global unique ID 208. It may be preferable to have aone-to-one mapping between a GUID 208 and a networked device 102.However, in the case when a sandbox reachable service 114 may beconstrained to a security sandbox 104, the sandbox reachable service 114may have no way of determining its own IP address and/or whether itresides on a same device with other services. In this case, everysandbox reachable service 114 on the same device may have its own GUID208.

According to one embodiment, an alphanumeric name 210 may be a “Vizio®36″ TV,” a “living room TV,” a “bedroom printer,” and/or any otherhuman-friendly reference name of a networked device 102. According toone embodiment, a private address pair 212 may be a private InternetProtocol (IP) address and a port number associated with an applicationthat sends and/or receives packets. According to one embodiment, apublic address pair 220 may be a public IP address and a port number 604associated with an application that sends and/or receives packets.According to one embodiment, a hardware address 222 may be a MediaAccess Control (MAC) address, a physical address, Ethernet hardwareaddress (EHA), and/or any other unique identifier assigned to networkinterfaces for communications on the physical network segment.

A client device 100 may process an identification data 216 associatedwith a sandbox reachable service 114 sharing a public address with theclient device 100 and determine a private address pair 212 of thesandbox reachable service 114 based on the identification data 216. Anetworked device 102 may also communicate a global unique identifier 208and/or an alphanumeric name 210 to a pairing server 200 along with ahardware address 222 associated with the networked device 102, a publicaddress pair 220 associated with a sandbox reachable service 114 of thenetworked device 102, and/or a private address pair 212 associated withthe sandbox reachable service 114 of the networked device 102.

FIG. 3 is an exploded view of the security sandbox 104, according to oneembodiment. FIG. 3 shows a security sandbox 104, a sandboxed application112, a same origin policy exception 300, a web page 302, a script 304, abinary executable 306, an intermediate bytecode 308, an abstract syntaxtree 310, an executable application 312, a HyperText Markup Language 5(HTML5) application 314, a Javascript® application 316, an Adobe® Flash®application 318, an Asynchronous Javascript® and XML (AJAX) application320, a JQuery® application 324, a Microsoft® Silverlight® application326, a hyperlink 328, a frame 330, a script 332, an image 334, a header336, and a form 338.

The sandboxed application 112 exists within the security sandbox 104 ofFIG. 3. The web page 302, the script 304, the binary executable 306, theintermediate bytecode 308, the abstract syntax tree 310, and theexecutable application 312 are listed as general examples of thesandboxed application 112 of FIG. 3. According to one embodiment, a webpage 302 may be a document and/or an information resource that issuitable for the World Wide Web and can be accessed through a webbrowser and displayed on a monitor and/or a mobile device. According toone embodiment, a script 304 may be a program written for a softwareenvironment that automates the execution of tasks which couldalternatively be executed one-by-one by a human operator.

According to one embodiment, a binary executable 306 may be a binaryfile that may include a program in machine language which is ready to berun. According to one embodiment, an intermediate bytecode 308 may be aprogramming language implementation of instruction set designed forefficient execution by a software interpreter. According to oneembodiment, an abstract syntax tree 310 may be a tree representation ofthe abstract syntactic structure of source code written in a programminglanguage. According to one embodiment, an executable application 312 maybe a file that causes a computer to perform indicated tasks according toencoded instructions.

The HTML5 application 314, the Javascript® application 316, the Adobe®Flash® application 318, the Microsoft® Silverlight® application 326, theJQuery® application 324, and the AJAX application 320 are listed asspecific examples of the general examples of FIG. 3. According to oneembodiment, a HTML5 application 314 may be a program written in thefifth revision of the hypertext markup language standard for structuringand presenting content for the World Wide Web. According to oneembodiment, a Javascript® application 316 may be a program written in ascripting language commonly implemented as part of a web browser inorder to create enhanced user interfaces and dynamic websites. Accordingto one embodiment, an Adobe® Flash® application 318 may be a programwritten for a multimedia and software platform used for authoring ofvector graphics, animation, games and Rich Internet Applications (RIAs)which can be viewed, played, and executed in Adobe® Flash® Player.

According to one embodiment, an AJAX application 320 may be a programusing a XMLHttpRequest method, a program using a Msxml2.XMLHTTP method,a program using a Microsoft.XMLHTTP method, and/or any other web programthat can send data to and retrieve data from a server in the backgroundwithout interfering with the display and behavior of the existing page.According to one embodiment, a JQuery® application 324 may be a programwritten using a multi-browser collection of pre-written Javascript®designed to simply the client-side scripting of HTML. According to oneembodiment, a Microsoft® Silverlight® application 326 may be a programwritten in a framework for writing and running RIAs with features andpurposes similar to those of Adobe® Flash®.

The same origin policy exception 300 extends horizontally below thesecurity sandbox 104 of FIG. 3. According to one embodiment, a sameorigin policy exception 300 may be a cross-domain scripting technique, across-site scripting technique, a document.domain property, aCross-Origin Resource Sharing (CORS), a cross-document messaging, atechnique for relaxing a policy preventing access to methods andproperties across pages on different sites, and/or an access controlalgorithm governing a policy through which a secondary authentication isrequired when establishing a communication between the sandboxedapplication 112 and the networked device 102.

A client device 100 may establish a communication session between asandboxed application 112 and a sandbox reachable service 114 using across-site scripting technique of a security sandbox 104. A clientdevice 100 may also append a header 336 of a hypertext transfer protocolto permit a networked device 102 to communicate with a sandboxedapplication 112 as a permitted origin domain through a Cross-originresource sharing (CORS) algorithm. Further, a client device 100 mayutilize a same origin policy exception 300 through a use of a hyperlink328, a form 338, a script 332, a frame 330, a header 336, and/or animage 334 when establishing the connection between a sandboxedapplication 112 and a sandbox reachable service 114.

For example, FIG. 3 may encompass a HTML5 cross-domain scripting usingpostMessage where it is described HTML5 application 314. WithpostMessage, a calling window may call any other window in a hierarchyincluding those in other domains. A receiving window may set up amessage listener to receive said message and can return results byposting a result message back to a calling frame. Assuming a web pageresiding at http://example.com/index.html:

<iframe src=”http://bar.com” id=”iframe”></iframe> <form id=”form”> <input type=”text″ id=″msg″ value=″Message to send″/>  <inputtype=″submit″/> </form> <script> window.onload = function( ){ var win =document.getElementById(″iframe″).contentWindow;document.getElementById(″form″).onsubmit = function(e){ win.postMessage(document.getElementById(″msg″).value ); e.preventDefault( ); }; };</script>

An iframe may load the following HTML from bar.com:

<b>This iframe is located on bar.com</b> <div id=“test”>Send me amessage!</div> <script> document.addEventListener(“message”,function(e){ document.getElementById(“test”).textContent = e.domain + “said: ” + e.data; }, false); </script>

When a user 820 (e.g., a human agent who uses a service) clicks on thesubmit button, a message may be posted to the frame read from bar.comwhich changes “Send me a message!” to http://bar.com said: Message tosend.

The hyperlink 328, the frame 330, the script 332, the image 334, theheader 336, and the form 338 comprise aspects of the same origin policyexception 300 of FIG. 3. According to one embodiment, a hyperlink 328may be a reference to data that a reader can directly follow and/or thatis followed automatically. FIG. 3 may also be applicable to a hyperlinksend message interface (e.g., a mechanism by which a sandboxedapplication 112 sends a message to a pairing server 200) where it isdescribed a hyperlink 328 using an <A> tag to send a message to apairing server 200 comprised of a discovery service and a relay service.The <A> tag may link to pages that are not in a same domain as a webpage being viewed in a browser. As such a link may point to the pairingserver 200 and arguments to be passed in a message may be encoded askey-value pairs in a uniform resource identifier (URI) query string. Forexample,

<A HREF=http://pairing_server.com/f?a=10&b=bar>call f</A>

A sandboxed application 112 may announce to the pairing server 200. At alater time, a user 820 may visit example.com and view index.html. Whenthe user 820 clicks on a “call f” hyperlink, a HTTP request may be sentto the pairing server 200. “f” may refer to a path to some arbitraryfunction and key-value pairs a=10 and/or b=bar may be arguments to thatfunction. The pairing server 200 may receive an HTTP GET like thisrequest generated using Google Chrome™:

GET /f?a=10&b=bar HTTP/1.1 Host: pairing_server.com Connection:keep-alive Referer: http://example.dom/index.html Accept:application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X10_6_4; en-US) AppleWebKit/534.3 (KHTML, like Gecko) Chrome/6.0.472.63Safari/534.3 Accept-Encoding: gzip,deflate,sdch Accept-Language:en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

The URI may not indicate to which service a message is intended. Thismay be interpreted by the pairing server 200 as a private broadcastmeaning that a message passed via a message query interface (e.g., amechanism to communicate a message from a pairing server 200 to asandbox reachable service 114) is passed to all sandbox reachableservices in a shared network 202. In this case, a response HTML maysimply be a new web page that may include a confirmation dialog and/or anotification that a message has been sent.

According to one embodiment, a frame 330 may be a frameset, an inlineframe, and/or any display of web pages and/or media elements within thesame browser window. According to one embodiment, a script 332 may be aHTML tag used to define a program that may accompany an HTML documentand/or be directly embedded in it. FIG. 3 may encompass a SCRIPT tagwhere it is described a script 332 used to contact the pairing server200. For example, a server may deliver an http://example.com/index.htmlthat may include a cross-site <script> tag as follows:

<html>...<head> <script type=″text/Javascript″> function lookup_cb(d) {var services = d[″services″]; var slen = services.length; var s, len; s=″<ul>″; for ( var i = 0; i < slen; ++i ) s = s + ″<li>″ +services[i].name + ″</li>″; s = s + ″</ul>″;document.getElementById(″services″).innerHTML=s; }</script></head><body> ... <div id=”services”></div> ... <scriptid=″external_script″ type=″text/Javascript″></script> <script>document.getElementById(″external_script″).src =″http://pairing_server.com/fling/lookup?callback=lookup_cb″;</script></body></html>

In the example above, Javascript® may replace a source of a <script>with id “external_script” with a script downloaded from the pairingserver 200. A call being made to a sandbox reachable service 114 may beembedded in a call to “lookup” with a single argument“callback=lookup_cb.” The pairing server 200 may return a script thatmay include a result, e.g.,

lookup_cb({ “services”: [...], “yourip”: “69.106.59.218”, “version”:“1.0”, “interval”: 900 })

The result above may include a list of “services” discovered in a user's(e.g., the user of the client device 100) shared network 202. The resultmay be encapsulated inside a call to lookup_cb which was a callbackpassed in a SRC URI to an external_script <script> tag. A returnedscript may be automatically executed, causing lookup_cb to be called.lookup_cb may iterate over services in a result and may output them intothe HTML of the web page http://example.com/index.html.

According to one embodiment, an image 334 may be a HTML tag thatincorporates in-line graphics into an HTML document. FIG. 3 may alsoencompass an <A> tag encapsulating an <IMG> tag where it is described animage 334, thereby allowing a link to take on the appearance of abutton, according to one embodiment. With Javascript® a behavior of theimage may be scripted to make the button change appearance when a mousepasses over the button or when a user clicks on the button, therebymaking the image behave more like a button. For example,

<A HREF=″http://pairing_server.com/f?a=10&b=bar″><IMG SRC=”f.jpg”>callf</IMG></A>

FIG. 3 may also be applicable to an IMG tag where it is described animage 334 used to communicate a call, according to one embodiment. Forexample,

<IMG SRC=“http://pairing_server.com/f?a=10&b=bar”>calling f . . . </IMG>

This example may correspond to a call ƒ with arguments a=10 and/orb=bar. The pairing server 200 sees

GET /f?a=10&b=bar HTTP/1.1 Host:ec2-204-236-247-87.compute-1.amazonaws.com:7878 Connection: keep-aliveReferer: http://dave.flingo.org/browser_behavior_tests/img_link.htmlCache-Control: max-age=0 Accept: */* User-Agent: Mozilla/5.0 (Macintosh;U; Intel Mac OS X 10_6_4; en-US) AppleWebKit/534.3 (KHTML, like Gecko)Chrome/6.0.472.63 Safari/534.3 Accept-Encoding: gzip,deflateAccept-Language: en-US,en;q=0.8 Accept-Charset:ISO-8859-1,utf-8;q=0.7,*;q=0.3

A browser may expect an image to be returned by this request. As aresult, an IMG send message interface may not threaten a calling webpage with script injection attacks. However, it may limit what can bereturned with an IMG tag. The pairing server 200 may return a validtransparent IMG with width and height set to communicate a pair. Sincean IMG body has been loaded into the calling web page, the height andwidth of the image are immediately available to the calling page usingJavascript®, e.g.,

<HTML> <HEAD> ... <script type=″text/Javascript″> function loaded( ) {var im = document.getElementById(″image″) alert( ″image height=″ +im.height + ″ width=″ + im.width ); } </script> </HEAD><BODY>... <IMGID=″image″ SRC=”http://pairing_server.com/f?a=10&b=bar” onload=″loaded();″></IMG> </BODY> </HTML>

According to one embodiment, a header 336 may be an origin header, areferrer header, and/or any other supplemental data placed at thebeginning of a block of data being stored and/or transmitted. FIG. 3 maybe applicable to a passing of a URI of a web page that may include ahyperlink along with a GET request in a “referer [sic]” URI header whereit is described a header 336 when a user 820 clicks on a hyperlinkrendered from an <A> tag. A pairing server 200 can interpret a refererURI as an URI of a web page to be relayed to a sandbox reachable service114 that can render web pages. For example, the following hyperlinkappears in the web page http://example.com/foo.html

<A HREF=http://pairing_server.com/fling>fling this web page</A>

When a user 820 clicks on “fling this page,” the pairing server 200 mayread the referer URI (e.g., associated with a client device 100) todetermine that the page http://example.com/foo.html should be relayed tothe receiving sandbox-reachable services.

FIG. 3 may also encompass interpreting a referer URI dependent on pagecontent where it is described a header 336, according to one embodiment.For example, a web page 302 that may include a video may cause areference to the video to be passed to a networked device 102.Similarly, a web page 302 that may include an audio may cause areference to the audio to be passed to a networked device 102.

According to one embodiment, a form 338 may be a HTML tag that allows aweb user to enter data that is sent to a server for processing. Forexample, FIG. 3 may encompass a sandboxed application 112 sendingmessages to a sandbox reachable service 114 via HTML FORMs where it isdescribed a form 338. The action of a form may direct the messages viathe pairing server 200. Assume a web page may reside athttp://example.com/index.html and assume a relay infrastructure may runon a server with example domain “pairing_server.com.” The video to berelayed may be titled “Waxing Love.”

<form name=“input” action=“http://pairing_server.com/fling”method=“post”> <INPUT TYPE=“HIDDEN” id=“title” name=“title”value=“Waxing Love” /> <INPUT TYPE=“HIDDEN” id=“description”name=“description” value=“An example video.” /> <INPUT TYPE=“HIDDEN”id=“uri” name=“uri” value=“http://example.com/wax.mp4” /> <INPUTTYPE=“SUBMIT” NAME=“submit” VALUE=“fling” /> </form>

A hidden type may populate an HTTP POST. In this example, an URI of aresource may be passed to a pairing server 200. The pairing server 200may treat the POST as a message to be forwarded to services. In thisexample, the server may see something like:

POST /fling HTTP/1.1 Host: pairing_server.com Origin:http://example.com/index.html User-Agent: Mozilla/5.0 (Macintosh; U;Intel Mac OS X 10_6_4; en-us) AppleWebKit/533.16 (KHTML, like Gecko)Version/5.0 Safari/533.16 Content-Type:application/x-www-form-urlencoded Accept:application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Referer: http://example.com/index.htmlAccept-Language: en-us Accept-Encoding: gzip, deflate Content-Length: 95Connection: keep-alivetitle=Waxing+Love&description=An+example+video.&uri=http%3A%2F%2Fexample.com%2Fwax.mp4 &submit=fling

The intended message may be encoded in key-value pairs of a messagebody. In this case a title, description, and URI and an operation“fling.”

FIG. 4 is an exploded view of the pairing server 200, according to oneembodiment. FIG. 4 shows a pairing server 200, a discovery module 400, adiscovery algorithm 402, a relay module 404, a relay algorithm 406, aprotocols 408, and a database 422.

The discovery module 400 and the relay module 404 communicate with thedatabase 422, and they all exist within the pairing server 200 of FIG.4. According to one embodiment, a discovery module 400 may be aself-contained component of a pairing server 200 that detects devicesand services on a network. According to one embodiment, a relay module404 may be a self-contained component of a pairing server 200 thattransmits data to an intermediate node located between a source anddestination that are separated by a distance that prevents directcommunications. According to one embodiment, a database 422 may be astructured collection of information.

A networked device 102 may announce a sandbox reachable service 114 to adiscovery module 400. When a shared network 202 is determined to becommonly associated with a client device 100 and a networked device 102,a pairing server 200 may receive, store using a processor 108 and amemory 110, and communicate to a client device 100 a global uniqueidentifier 208 and/or an alphanumeric name 210 in an announcement from anetworked device 102 along with a hardware address 222 associated withthe networked device 102, a public address pair 220 associated with asandbox reachable service 114 of the networked device 102, and/or aprivate address pair 212 associated with the sandbox reachable service114 of the networked device 102. A shared network 202 is determined tobe commonly associated with a client device 100 and a networked device102 when it is presently shared and/or was previously shared by thenetworked device 102 and the client device 100.

The discovery algorithm 402 exists within the discovery module 400 ofFIG. 4. According to one embodiment, a discovery algorithm 402 may be aprocedure for detecting devices and services on a network. A serviceagent module of a networked device 102 may coordinate communicationswith a discovery module 400 of a security sandbox 104 and/or a pairingserver 200. For example, the service agent sits outside a browser orbrowser-like security sandbox thereby allowing it to listen on a socket.Thus, it can act as a means for services on the same device to discoverone another. The service agent may also announce on behalf of service(s)local to that device.

The relay algorithm 406 exists within the relay module 404 of FIG. 4.According to one embodiment, a relay algorithm 406 may be a procedurefor transmitting data to an intermediate node located between a sourceand destination that are separated by a distance that prevents directcommunications. A service agent module of a networked device 102 maycoordinate communications with a discovery module 400 of a securitysandbox 104 and/or a pairing server 200. For example, the service agentsits outside a browser or browser-like security sandbox thereby allowingit to listen on a socket. Thus, it can act as a relay for messagesarriving from a shared network 202.

When a client device 100 and a networked device 102 reside on networksthat are incommunicable with each other comprising a firewallseparation, a different network separation, a physical separation,and/or an unreachable connection separation, a sandboxed application 112of a security sandbox 104 of the client device 100 and a sandboxreachable service 114 of the networked device 102 may communicate witheach other through a relay service employed by a pairing server 200having a discovery module 400 and a relay module 404 to facilitate atrusted communication (e.g., by guarding a GUID 208, a private IPaddress 808, and/or a hardware address 222 of a networked device 102and/or a sandbox reachable service 114 from a sandboxed application 112)between the sandboxed application 112 and the sandbox reachable service114.

The discovery module 400 and the relay module 404 can also communicateusing the protocols 408 of FIG. 4. According to one embodiment, aprotocols 408 may be a system of digital message formats and rules forexchanging those messages in and/or between devices sharing a network.

FIG. 5 is an exploded view of the client device 100, according to oneembodiment. FIG. 5 shows a client device 100, a discovery module 500, arelay module 504, a discovery algorithm 502, a relay algorithm 506, anextension 518, a sandboxed application 112, a protocols 508, a Bonjour®protocol 510, a Simple Service Discovery Protocol (SSDP) protocol 512, alocal service discovery (LSD) uTorrent® protocol 514, a local areanetwork (LAN) based protocol 516, a multicast protocol 519, and ananycast protocol 520.

The extension 518 exists within the client device 100 of FIG. 5.According to one embodiment, an extension 518 may be a program addingthe capabilities of a discovery module 500 and/or a relay module 504 toa browser. A client device 100 may extend a security sandbox 104 with adiscovery algorithm 502 and a relay algorithm 506 through a discoverymodule 500 and a relay module 504 added to the security sandbox 104. Aclient device 100 may also bypass a pairing server 200 having adiscovery algorithm 402 and a relay algorithm 406 when establishing aconnection between a sandboxed application 112 and a sandbox reachableservice 114 when the security is extended with the discovery algorithm502 and the relay algorithm 506 through the discovery module 500 and therelay module 504 added to a security sandbox 104.

The discovery module 500, the relay module 504, and the sandboxedapplication 112 exist within the extension 518 of FIG. 5. The discoverymodule 500 communicates with the relay module 504 of FIG. 5. Accordingto one embodiment, a discovery module 500 may be a self-containedcomponent of a client device 100 that detects devices and services on anetwork. According to one embodiment, a relay module 504 may be aself-contained component of a client device 100 that transmits data toan intermediate node located between a source and destination that areseparated by a distance that prevents direct communications. A networkeddevice 102 may announce a sandbox reachable service 114 to a discoverymodule 500. A networked device 102 may also automatically instantiate acommunication between a sandbox reachable service 114 of the networkeddevice 102 and a client device 100 when a relay module 504 sends arequest from a sandboxed application 112 of the client device 100 to thesandbox reachable service 114.

The discovery algorithm 502 exists within the discovery module 500 ofFIG. 5. A client device 100 may apply a discovery algorithm 502 of asecurity sandbox 104 to determine that a networked device 102 having asandbox reachable service 114 communicates in a shared network 202common to the client device 100 and the networked device 102.

The relay algorithm 506 exists within the relay module 504 of FIG. 5. Aclient device 100 may apply a relay algorithm 506 of a security sandbox104 to establish a connection between a sandboxed application 112 and asandbox reachable service 114 of a networked device 102. A client device100 may utilize a WebSocket (e.g., a web technology providingfull-duplex communications channels over a single Transmission ControlProtocol connection) and/or a long polling service message queryinterface to reduce a latency of message delivery during a trustedcommunication between a sandboxed application 112 and a sandboxreachable service 114. A client device 100 may also optimize a pollingperiod between polling such that it is less than a timeout period of asession through the relay service. A client device 100 may initiate arelay service through a series of web pages where information iscommunicated using a hyperlink 328 that points at a pairing server 200,and/or a form 338 having a confirmation dialog that is submitted back tothe pairing server 200. A global unique identifier 208 (e.g., of asandbox reachable service 114) may be masked through a pairing server200 when a confirmation dialog is served from the pairing server 200.

The discovery algorithm 502 and the relay algorithm 506 can communicateusing the protocols 508 of FIG. 5. The Bonjour® protocol 510, the SSDPprotocol 512, the LSD uTorrent® protocol 514, the LAN-based protocol516, the multicast protocol 519, and the anycast protocol 520 existwithin the protocols 508 of FIG. 5. According to one embodiment, aBonjour® protocol 510 may be a system of technologies including servicediscovery, address assignment, and hostname resolution developed byApple®. According to one embodiment, a SSDP protocol 512 may be anetwork protocol based on the Internet Protocol Suite for advertisementand discovery of network services and presence information that isaccomplished without assistance of server-based configuration mechanismsand without special static configuration of a network host. According toone embodiment, a LSD uTorrent® protocol 514 may be an extension to theBitTorrent® file distribution system that is designed to support thediscovery of local BitTorrent® peers, aiming to minimize traffic throughan Internet service provider's (ISP) channel and minimize use ofhigher-bandwidth LAN while implemented in a client with a small memoryfootprint. According to one embodiment, a LAN-based protocol 516 may bea system of broadcast-based local area network discovery. According toone embodiment, a multicast protocol 519 may be a system of deliveringinformation simultaneously to a group of destination devices in a singletransmission from a source. According to one embodiment, an anycastprotocol 520 may be a system of routing datagrams from a single senderto the topologically nearest node in a group of potential receivers,though it may be sent to several nodes, all identified by the samedestination address.

A discovery algorithm 502 may utilize a protocols 508 comprising aBonjour® protocol 510, a SSDP protocol 512, a LSD uTorrent® protocol514, a multicast protocol 519, an anycast protocol 520, and/or anotherLAN-based protocol 516 that discovers services in a LAN based on abroadcast from any one of an operating system service, a securitysandbox 104, a client device 100, a sandbox reachable service 114, and anetworked device 102.

FIG. 6 is a table of example network information stored in a database422 of a pairing server 200, according to one embodiment. FIG. 6 shows aGUID 208, an alphanumeric name 210, a network 600, a service 601, aNetwork Address Translator (NAT) 602, a port number 604, an IP address606, and a table 650. The GUID 208, the alphanumeric name 210, thenetwork 600, the service 601, the NAT 602, the port number 604, and theIP address 606 are headings for each column of a table 650 of FIG. 6.

According to one embodiment, a network 600 may be a collection ofhardware interconnected by communication channels that allow sharing ofresources and information. According to one embodiment, a service 601may be a description and/or a name of a service provided by a device.According to one embodiment, a NAT 602 may be an indication of whetheror not a NAT device is present on a network 600. According to oneembodiment, a port number 604 may be a 16-bit reference number for aprocess-specific software construct serving as a communications endpointin a computer's host operating system. According to one embodiment, anIP address 606 may be a numerical label assigned to each deviceparticipating in a computer network that uses the Internet Protocol forcommunication. According to one embodiment, a table 650 may be a set ofdata elements that is organized using a model of vertical columns whichare identified by names and horizontal rows. A sandbox reachable service114 may communicate a GUID 208 and/or an alphanumeric name 210 to apairing server 200 along with an IP address 606 and/or a port number 604of the sandbox reachable service 114.

FIG. 7 is a block diagram of a method by which a security sandbox 104can communicate with a sandbox reachable service 114 that previouslyoperated on a shared network 202, according to one embodiment. FIG. 7shows a client device 100, a storage 109, a remote access token 702, aprivate IP address 704, and a hardware address 222. The storage 109exists within the client device 100 of FIG. 7. The remote access token702 exists within the storage 109 of FIG. 7. According to oneembodiment, a remote access token 702 may be an object encapsulating asecurity descriptor of a process so that a client device 100 and anetworked device 102 that previously established a communication sessionautomatically recognize each other. A cookie associated with a securitysandbox 104 may be used to store a remote access token 702 on a storage109 (e.g., Web storage, HTML5 storage) of a client device 100. A clientdevice 100 can communicate with a sandbox reachable service 114 thatpreviously operated on a common shared network 202 through a remoteaccess token 702.

The private IP address 704 and the hardware address 222 comprise aspectsof the remote access token 702 of FIG. 7. According to one embodiment, aprivate IP address 704 may be an IP address of a node on a privatenetwork that may not be used to route packets on the public Internet. Aremote access token 702 may identify a set of communicable privateInternet Protocol (IP) address (e.g., the private ip address 704) and/orhardware addresses (e.g., the hardware address 222) associated with asandbox reachable service 114 that previously operated on a commonshared network 202 with a client device 100. For example, FIG. 7 mayencompass a preference for associating a device with a hardware address222 where it is described a hardware address 222. A private IP address704 may change as devices move between networks. However, a hardwareaddress 222 may be a stable, long-term pseudonym for a device and thusmay serve a good value from which to derive a remote access token 702.

FIG. 8 is a schematic diagram of a private network 800 and a privatenetwork 802 communicating over the public Internet via a NAT device 804and a NAT device 806, according to one embodiment. FIG. 8 shows a clientdevice 100, a networked device 102, a pairing server 200, a privatenetwork 800, a private network 802, a NAT device 804, a NAT device 806,a private IP address 808, a private IP address 810, a public IP address812, a public IP address 814, a tablet device 816, a printer 818, and auser 820.

The private network 800 and the private network 802 communicatebidirectionally through the pairing server 200 of FIG. 8. According toone embodiment, a private network 800 may be a home network and/or anyother network with private IP space that may be behind a NAT device 804.According to one embodiment, a private network 802 may be an officenetwork and/or any other network with private IP space that may bebehind a NAT device 806. A client device 100 (e.g., laptop) and anetworked device 102 (e.g., television) may reside on networks that areincommunicable with each other comprising a firewall separation, adifferent network separation, a physical separation, and/or anunreachable connection separation. A sandboxed application 112 of asecurity sandbox 104 of the client device 100 and a sandbox reachableservice 114 of the networked device 102 may communicate with each otherthrough a relay service employed by a pairing server 200 having thediscovery module and the relay module to facilitate a trustedcommunication between the sandboxed application 112 and the sandboxreachable service 114.

The NAT device 804, the networked device 102, and the tablet device 816are all interconnected and exist within the private network 800 of FIG.8. According to one embodiment, a NAT device 804 may be a device formodifying IP address information in IP packet headers while in transitacross a traffic routing device. According to one embodiment, a tabletdevice 816 may be a one-piece mobile computer, primarily operated bytouchscreen and/or an onscreen virtual keyboard. A NAT device 804 may becoupled with a network on which a networked device 102 operates.

The NAT device 806, the client device 100, and the printer 818 are allinterconnected and exist within the private network 802 of FIG. 8.According to one embodiment, a NAT device 806 may be a device formodifying IP address information in IP packet headers while in transitacross a traffic routing device. According to one embodiment, a printer818 may be a peripheral device which produces a representation of anelectronic document on physical media. A NAT device 806 may be coupledwith a network on which a client device 100 operates.

The NAT device 804 connects to the pairing server 200 through the publicIP address 812 of FIG. 8. The NAT device 804 connects to the networkeddevice 102 through the private IP address 808 of the networked device102 of FIG. 8. According to one embodiment, a public IP address 812 maybe an IP address of a private network 800 that may be used to routepackets on the public Internet. According to one embodiment, a privateIP address 808 may be an IP address of a networked device 102 on aprivate network 800. A trusted communication may be facilitated in amanner such that a sandboxed application 112 never learns a private IPaddress 808 and/or a hardware address 222 of a networked device 102 whena NAT device 804 may translate a private IP address 808 of a networkeddevice 102 to a public IP address 812 visible to a sandboxed application112.

The NAT device 806 connects to the pairing server 200 through the publicIP address 814 of FIG. 8. The NAT device 806 connects to the clientdevice 100 through the private IP address 810 of the client device 100of FIG. 8. According to one embodiment, a public IP address 814 may bean IP address of a private network 802 that may be used to route packetson the public Internet. According to one embodiment, a private IPaddress 810 may be an IP address of a networked device 102 on a privatenetwork 802. A trusted communication may be facilitated in a manner suchthat a sandboxed application 112 never learns a private IP address 808and/or a hardware address 222 of a networked device 102 when a NATdevice 806 may receive communications from a public IP address 812 of aprivate network 800 on which a sandbox reachable service 114 operates.

For example, FIG. 8 may encompass a sandboxed application 112 beingconstrained to know nothing but a description and/or name of a service(e.g., no private IP address 808, no hardware address 222, no GUID 208)where it is described a private IP address 808.

FIG. 8 may also be applicable to a sandboxed application 112 beingconstrained to know nothing at all about who receives a communication(e.g., no private IP address 808, no hardware address 222, no GUID 208,no description and/or name of a service) where it is described a privateIP address 808, according to one embodiment. For example, a sandboxedapplication 112 may include a hyperlink 328 to a pairing server 200 inwhich the hyperlink 328 may specify a message but no recipienthttp://flingo.tv/fling/a?url=url of media to be played. A pairing server200 may disambiguate an intended recipient (e.g., by returning a form338 to a user 820 in which the user 820 may select a sandbox reachableservice 114). A returned form 338 may execute in a security sandbox 104associated with a domain of a pairing server 200 which may be differentfrom a security sandbox 104 of a sandboxed application 112.

The user 820 exists within the private network 802 of FIG. 8. Accordingto one embodiment, a user 820 may be a human and/or software agent whouses a computer and/or network service.

In another aspect, a method of a client device includes constraining anexecutable environment in a security sandbox. The method also includesexecuting a sandboxed application in the executable environment using aprocessor and a memory. Further, the method includes automaticallyinstantiating a connection between the sandboxed application and asandbox reachable service of a networked media device.

The method may include processing an identification data associated withthe sandbox reachable service sharing a public address with the clientdevice. The method may also include determining a private address pairof the sandbox reachable service based on the identification data.Additionally, the method may include establishing a communicationsession between the sandboxed application and the sandbox reachableservice using a cross-site scripting technique of the security sandbox.Further, the method may include appending a header of a hypertexttransfer protocol to permit the networked media device to communicatewith the sandboxed application as a permitted origin domain through aCross-origin resource sharing (CORS) algorithm. The header may be eitherone of a origin header when the CORS algorithm is applied and a referrerheader in an alternate algorithm.

The method may further include accessing a pairing server whenprocessing the identification data associated with the sandbox reachableservice sharing the public address with the client device. The pairingserver may perform a discovery lookup of any device that has announcedthat it shares the public address associated with the client device. Thesandbox reachable service may announce itself to the pairing serverprior to the establishment of the communication session between thesandboxed application and the sandbox reachable service. The sandboxreachable service may also announce its availability across a range ofpublic addresses such that the sandboxed application communicates withthe sandbox reachable service in any one of the range of the publicaddresses. However, the range of public addresses may be known by thepairing server so that the announcement of the availability of thesandbox reachable service across the range of public addresses isunnecessary. The sandbox reachable service may communicate a globalunique identifier and/or an alphanumeric name to the pairing serveralong with the private address pair of the sandbox reachable service.The private address pair may include a private IP address and a portnumber associated with the sandbox reachable service.

The method may further include eliminating a communication through acentralized infrastructure when the sandboxed application and thesandbox reachable service communicate in a shared network common to theclient device and the networked media device when the connection isestablished. The shared network may be a local area network, a multicastnetwork, an anycast network, and/or a multilan network. The method mayalso include minimizing a latency in the communication session when thesandboxed application and the sandbox reachable service communicate inthe shared network common to the client device and the networked mediadevice when the connection is established. Further, the method mayinclude improving privacy in the communication session when thesandboxed application and the sandbox reachable service communicate inthe shared network common to the client device and the networked mediadevice when the connection is established.

The sandboxed application may be a web page, a script, a binaryexecutable, an intermediate bytecode, an abstract syntax tree, and/or anexecutable application in the security sandbox. The sandboxedapplication may comprise a markup language application such as aHyperText Markup Language 5 (HTML5) application, a Javascript®application, an Adobe® Flash® application, a Microsoft® Silverlight®application, a JQuery® application, and/or an Asynchronous Javascript®and a XML (AJAX) application. An access control algorithm may govern apolicy through which a secondary authentication is required whenestablishing a communication between the sandboxed application and thenetworked media device. The method may include utilizing an exception toa same origin policy through a use of a hyperlink, a form, the script, aframe, a header, and an image when establishing the connection betweenthe sandboxed application and the sandbox reachable service.

The method may include extending the security sandbox with a discoveryalgorithm and a relay algorithm through a discovery module and a relaymodule added to the security sandbox. The method may also includebypassing a pairing server having the discovery algorithm and the relayalgorithm when establishing the connection between the sandboxedapplication and the sandbox reachable service when the security sandboxis extended with the discovery algorithm and the relay algorithm throughthe discovery module and the relay module added to the security sandbox.

The method may further include applying the discovery algorithm of thesecurity sandbox to determine that the networked media device having thesandbox reachable service communicates in a shared network common to theclient device and the networked media device. The method may alsoinclude applying the relay algorithm of the security sandbox toestablish the connection between the sandboxed application and thesandbox reachable service of the networked media device. The discoveryalgorithm may utilize a protocol comprising a Bonjour® protocol, a SSDPprotocol, a LSD uTorrent® protocol, a multicast protocol, an anycastprotocol, and/or another Local Area Network (LAN) based protocol thatdiscovers services in a LAN based on a broadcast from any one of anoperating system service, the security sandbox, the client device, thesandbox reachable service, and the networked media device.

A cookie associated with the security sandbox may be used to store aremote access token on a storage of the client device. The remote accesstoken may identify a set of communicable private Internet Protocol (IP)addresses and/or hardware addresses associated with sandbox reachableservices that previously operated on a common shared network with theclient device. The client device may communicate with the sandboxreachable services that previously operated on the common shared networkthrough the remote access token.

The client device and the networked media device may reside on networksthat are incommunicable with each other comprising a firewallseparation, a different network separation, a physical separation,and/or an unreachable connection separation. The sandboxed applicationof the security sandbox of the client device and the sandbox reachableservice of the networked media device may communicate with each otherthrough a relay service employed by a pairing server having a discoverymodule and a relay module to facilitate a trusted communication betweenthe sandboxed application and the sandbox reachable service.

The trusted communication may be facilitated in a manner such that thesandboxed application never learns a private IP address and/or ahardware address of the networked media device. This may occur when afirst Network Address Translator (NAT) device receives communicationsfrom a public IP address of a different network on which the sandboxreachable service operates, and a second NAT device translates theprivate IP address of the networked media device to the public IPaddress visible to the sandboxed application. The first NAT device maybe coupled with a network on which the client device operates. Thesecond NAT device may be coupled with the different network on which thenetworked media device operates.

The networked media device may comprise a number of sandbox reachableapplications including the sandbox reachable application. A serviceagent module of the networked media device may coordinate communicationswith the discovery module of the security sandbox and/or the pairingserver. The security sandbox may be an operating system on which thesandboxed application is hosted and/or a browser application of theoperating system. The networked media device may be a television, aprojection screen, a multimedia display, a touchscreen display, an audiodevice, and/or a multidimensional visual presentation device.

The method may include utilizing a WebSocket and/or a long pollingservice message query interface to reduce a latency of message deliveryduring the trusted communication between the sandboxed application andthe sandbox reachable service. The method may also include optimizing apolling period between polling such that it is less than a timeoutperiod of a session through the relay service. The method may furtherinclude initiating the relay service through a series of web pages whereinformation is communicated using hyperlinks that point at the pairingserver, and/or a form having a confirmation dialog that is submittedback to the pairing server. A global unique identifier may be maskedthrough the pairing server when the confirmation dialog is served fromthe pairing server.

In one embodiment, a method of a networked device includes announcing asandbox reachable service of the networked device to a discovery moduleusing a processor and memory. The method also includes automaticallyinstantiating a communication between the sandbox reachable service ofthe networked device and a client device when a relay module sends arequest from a sandboxed application of the client device to the sandboxreachable service.

In yet another embodiment, a system includes a networked device toannounce a sandbox reachable service of the networked device to adiscovery module using a processor and memory. The system also includesa client device to constrain an executable environment in a securitysandbox, to execute a sandboxed application in the security sandbox, andto automatically instantiate a connection between the sandboxedapplication and the sandbox reachable service of the networked device.

In still another embodiment, a method of a pairing server includesreceiving, storing using a processor and a memory, and communicating toa client device a global unique identifier and/or an alphanumeric namein an announcement from a networked device along with a hardware addressassociated with the networked device, a public address pair associatedwith a sandbox reachable service of the networked device, and/or aprivate address pair associated with the sandbox reachable service ofthe networked device when a shared network is determined to be commonlyassociated with the client device and the networked device. The sharednetwork is a local area network, a multicast network, an anycastnetwork, and/or a multilan network.

For example, Jane may watch a movie and/or access an application throughher mobile device while sitting on a couch in her living room. Jane maywish to automatically display the movie and/or application of a bigscreen television in front of her couch. Jane may use a gesture totransport the movie and/or application to the big screen television. Forexample, Jane may ‘fling’ (or flick) the screen on her mobile device inwhich the movie and/or application is running in an upward motion, andinstantly transport the movie and/or application onto her big screentelevision. In an alternate embodiment, the big screen television mayautomatically detect that Jane is playing the movie and/or running theapplication on her mobile device and automatically launch the movie (inits current play state) and/or run the application on the big screentelevision after detection (without requiring a fling or flick hapticgesture by Jane).

While Jane is playing the movie and/or running the application on thebig screen television, Jane may see advertisements that relate toexactly what she is currently watching on the big screen television onher mobile device through the capture infrastructure described herein.Conversely, if Jane were playing the movie and/or running theapplication on her mobile device, she could see advertisements directlyrelated to the activities she is currently doing on her big screentelevision (and or simultaneously on the mobile device). This is madepossible through the various methods and techniques described herein,particularly with respect to a centralized capture infrastructure thatannotates an audio-visual stream with meta-data.

Although the present embodiments have been described with reference tospecific example embodiments, it will be evident that variousmodifications and changes may be made to these embodiments withoutdeparting from the broader spirit and scope of the various embodiments.For example, the various devices and modules described herein may beenabled and operated using hardware circuitry (e.g., CMOS based logiccircuitry), firmware, software or any combination of hardware, firmware,and/or software (e.g., embodied in a machine readable medium). Forexample, the various electrical structure and methods may be embodiedusing transistors, logic gates, and/or electrical circuits (e.g.,application specific integrated (ASIC) circuitry and/or Digital SignalProcessor (DSP) circuitry).

In addition, it will be appreciated that the various operations,processes, and/or methods disclosed herein may be embodied in amachine-readable medium and/or a machine accessible medium compatiblewith a data processing system (e.g., a computer device). Accordingly,the specification and drawings are to be regarded in an illustrative inrather than a restrictive sense.

What is claimed is:
 1. A method of a client device comprising: applyingan automatic content recognition algorithm to determine a contentidentifier of an audio-visual data; and associating the contentidentifier with an advertisement data based on a semantic correlationbetween a meta-data of the advertisement provided by a content providerand the content identifier, wherein a capture infrastructure annotatesthe audio-visual data with at least one of a brand name and a productname by comparing entries in the master database with at least one of aclosed captioning data of the audio-visual data and through anapplication of an optical character recognition algorithm in theaudio-visual data; wherein the content identifier is at least one of amusic identification, an object identification, a facial identification,and a voice identification, wherein a minimal functionality comprisingaccessing at least one of a tuner and a stream decoder that identifiesat least one of a channel and a content is found in the networked mediadevice, wherein the networked media device produces at least one of anaudio fingerprint and a video fingerprint that are communicated with thecapture infrastructure, wherein the capture infrastructure compares atleast one of the audio fingerprint and the video fingerprint with amaster database, wherein the capture infrastructure annotates theaudio-visual data with a logo name by comparing entries in the masterdatabase with a logo data of the audio-visual data identified using alogo detection algorithm, wherein the capture infrastructureautomatically divides the audio-visual data into a series of scenesbased on a sematic grouping of actions in the audio-visual data, whereinthe audio-visual data is analyzed in advance of a broadcast to determinecontent identifiers associated with each commercial in the audio-visualdata such that advertisements are pre-inserted into the audio-visualdata prior to broadcast, wherein the capture infrastructure applies atime-order algorithm to automatically match advertisements to theaudio-visual data when a correlation pattern is identified by thecapture infrastructure with other audio-visual content previouslyanalyzed, wherein the capture infrastructure includes a buffer that issaved to a persistent storage and for which a label is generated tofacilitate identification of reoccurring sequences, wherein a postprocessing operation is at least one of automated through apost-processing algorithm and a crowd-sourced operation using aplurality of users in which a turing test is applied to determine averacity of an input, wherein a device pairing algorithm is used inwhich a cookie data associated with a web page visited by the userstored on a browser on the client device is paired with the networkedmedia device when the client device is communicatively coupled with thenetworked media device, wherein a transitive public IP matchingalgorithm is utilized in which at least one of the client device and thenetworked media device communicates each public IP address with anypaired entity to the capture infrastructure, and wherein a tag that isunconstrained from a same-origin policy is used to automatically loadthe advertisement in the browser, wherein the tag is at least one of animage tag, a frame, a iframe, and a script tag.
 2. The method of claim 1further comprising: referencing an additional metadata comprising atleast one of the content identifier and the advertisement based on avideo processing algorithm, wherein the additional meta data is at leastone of a title, a description, a thumbnail, a name of an individual, anda historical data, and wherein the additional metadata is determinedfrom a browser history captured from the client device based on acapture policy, and correlating a relevance of the browser history withat least one of the content identifier and the advertisement;constraining an executable environment in a security sandbox; executinga sandboxed application in the executable environment using a processorand a memory; automatically instantiating a connection between thesandboxed application and the unannounced device associated with thenetworked media device based on the determination that the internetprotocol address of the port from the unannounced device is associatedwith the networked media device; processing an identification dataassociated with the sandbox reachable service sharing a public addresswith the client device; determining a private address pair of thesandbox reachable service based on the identification data; establishinga communication session between the sandboxed application and thesandbox reachable service using a cross-site scripting technique of thesecurity sandbox; and appending a header of a hypertext transferprotocol to permit the networked media device to communicate with thesandboxed application as a permitted origin domain through aCross-origin resource sharing (CORS) algorithm, wherein the header iseither one of a origin header when the CORS algorithm is applied and areferrer header in an alternate algorithm.
 3. The method of claim 2:wherein the client device and the networked media device reside onnetworks that are incommunicable with each other comprising at least oneof a firewall separation, a different network separation, a physicalseparation, an unreachable connection separation, and wherein thesandboxed application of the security sandbox of the client device andthe sandbox reachable service of the networked media device communicatewith each other through a relay service employed by a pairing serverhaving a discovery module and a relay module to facilitate a trustedcommunication between the sandboxed application and the sandboxreachable service.
 4. The method of claim 3: wherein the trustedcommunication is facilitated in a manner such that the sandboxedapplication never learns at least one of a private IP address and ahardware address of the networked media device when: a first NetworkAddress Translator (NAT) device coupled with a network on which theclient device operates to receive communications from a public IPaddress of a different network on which the sandbox reachable serviceoperates, and wherein a second NAT device coupled with the differentnetwork on which the networked media device operates to translate theprivate IP address of the networked media device to the public IPaddress visible to the sandboxed application.
 5. The method of claim 4:wherein the networked media device comprises a plurality of sandboxreachable applications including the sandbox reachable application, andwherein a service agent module of the networked media device coordinatescommunications with the discovery module of at least one of the securitysandbox and the pairing server, wherein the security sandbox is at leastone of an operating system on which the sandboxed application is hostedand a browser application of the operating system, and wherein thenetworked media device is at least one of a television, a projectionscreen, a multimedia display, a touchscreen display, an audio device,and a multidimensional visual presentation device.
 6. The method ofclaim 5 further comprising: utilizing at least one of a WebSocket and along polling service message query interface to reduce a latency ofmessage delivery during the trusted communication between the sandboxedapplication and the sandbox reachable service; and optimizing a pollingperiod between polling such that it is less than a timeout period of asession through the relay service.
 7. The method of claim 6 furthercomprising: initiating the relay service through at least one of aseries of web pages where information is communicated using hyperlinksthat point at the pairing server, and a form having a confirmationdialog that is submitted back to the pairing server, and wherein aglobal unique identifier is masked through the pairing server when theconfirmation dialog is served from the pairing server.
 8. The method ofclaim 2 further comprising: extending the security sandbox with adiscovery algorithm and a relay algorithm through a discovery module anda relay module added to the security sandbox; and bypassing a pairingserver having the discovery algorithm and the relay algorithm whenestablishing the connection between the sandboxed application and thesandbox reachable service when the security sandbox is extended with thediscovery algorithm and the relay algorithm through the discovery moduleand the relay module added to the security sandbox.
 9. The method ofclaim 8 further comprising: applying the discovery algorithm of thesecurity sandbox to determine that the networked media device having thesandbox reachable service communicates in a shared network common to theclient device and the networked media device; and applying the relayalgorithm of the security sandbox to establish the connection betweenthe sandboxed application and the sandbox reachable service of thenetworked media device.
 10. The method of claim 9: wherein the discoveryalgorithm utilizes a protocol comprising at least one of a Bonjour*protocol, a SSDP protocol, a LSD uTorrent® protocol, a multicastprotocol, an anycast protocol, and another Local Area Network (LAN)based protocol that discovers services in a LAN based on a broadcastfrom any one of an operating system service, the security sandbox, theclient device, the sandbox reachable service, and the networked mediadevice.
 11. The method of claim 2 further comprising: wherein thesandboxed application is at least one of a web page, a script, a binaryexecutable, an intermediate bytecode, an abstract syntax tree, and anexecutable application in the security sandbox, wherein the sandboxedapplication comprises at least one of a markup language application suchas a HyperText Markup Language 5 (HTML5) application, a Javascript®application, an Adobe® Flash® application, a Microsoft® Silverlight®application, a JQuery® application, and an Asynchronous Javascript® anda XML (AJAX) application, and wherein an access control algorithmgoverns a policy through which a secondary authentication is requiredwhen establishing a communication between the sandboxed application andthe networked media device.
 12. The method of claim 11 furthercomprising: utilizing an exception to a same origin policy through a useof at least one of a hyperlink, a form, the script, a frame, a header,and an image when establishing the connection between the sandboxedapplication and the sandbox reachable service.
 13. The method of claim 2further comprising: accessing a paring server when processing theidentification data associated with the sandbox reachable servicesharing the public address with the client device, wherein the pairingserver performs a discovery lookup of any device that has announced thatit shares the public address associated with the client device, andwherein the sandbox reachable service announces itself to the pairingserver prior to the establishment of the communication session betweenthe sandboxed application and the sandbox reachable service.
 14. Themethod of claim 13 further comprising at least one of: wherein thesandbox reachable service announces an availability of the sandboxreachable service across a range of public addresses such that thesandboxed application communicates with the sandbox reachable service inany one of the range of the public addresses, wherein the range ofpublic addresses is known by the pairing server so that the announcementof the availability of the sandbox reachable service across the range ofpublic addresses is unnecessary, wherein the sandbox reachable servicecommunicates at least one of a global unique identifier and analphanumeric name to the pairing server along with the private addresspair of the sandbox reachable service, and wherein the private addresspair includes a private IP address and a port number associated with thesandbox reachable service.
 15. The method of claim 2 further comprising:eliminating a communication through a centralized infrastructure whenthe sandboxed application and the sandbox reachable service communicatein a shared network common to the client device and the networked mediadevice when the connection is established, wherein the shared network isat least one of the local area network, a multicast network, an anycastnetwork, and a multilan network; minimizing a latency in thecommunication session when the sandboxed application and the sandboxreachable service communicate in the shared network common to the clientdevice and the networked media device when the connection isestablished; and improving privacy in the communication session when thesandboxed application and the sandbox reachable service communicate inthe shared network common to the client device and the networked mediadevice when the connection is established.
 16. The method of claim 2:wherein a cookie associated with the security sandbox is used to store aremote access token on a storage of the client device, wherein theremote access token identifies at least one of a set of communicableprivate Internet Protocol (IP) addresses and hardware addressesassociated with sandbox reachable services that previously operated on acommon shared network with the client device, and wherein the clientdevice can communicate with the sandbox reachable services thatpreviously operated on the common shared network through the remoteaccess token.
 17. A method of a networked device comprising: applying anautomatic content recognition algorithm to determine a contentidentifier of an audio-visual data; and associating the contentidentifier with an advertisement data based on a semantic correlationbetween a meta-data of the advertisement provided by a content providerand the content identifier, wherein a capture infrastructure annotatesthe audio-visual data with at least one of a brand name and a productname by comparing entries in the master database with at least one of aclosed captioning data of the audio-visual data and through anapplication of an optical character recognition algorithm in theaudio-visual data; wherein the content identifier is at least one of amusic identification, an object identification, a facial identification,and a voice identification, wherein a minimal functionality comprisingaccessing at least one of a tuner and a stream decoder that identifiesat least one of a channel and a content is found in the networkeddevice, wherein the networked device produces at least one of an audiofingerprint and a video fingerprint that are communicated with thecapture infrastructure, wherein the capture infrastructure compares atleast one of the audio fingerprint and the video fingerprint with amaster database, wherein the capture infrastructure annotates theaudio-visual data with a logo name by comparing entries in the masterdatabase with a logo data of the audio-visual data identified using alogo detection algorithm, wherein the capture infrastructureautomatically divides the audio-visual data into a series of scenesbased on a sematic grouping of actions m the audio-visual data, whereinthe audio-visual data is analyzed in advance of a broadcast to determinecontent identifiers associated with each commercial in the audio-visualdata such that advertisements are pre-inserted into the audio-visualdata prior to broadcast, wherein the capture infrastructure applies atime-order algorithm to automatically match advertisements to theaudio-visual data when a correlation pattern is identified by thecapture infrastructure with other audio-visual content previouslyanalyzed, wherein the capture infrastructure includes a buffer that issaved to a persistent storage and for which a label is generated tofacilitate identification of reoccurring sequences, wherein a postprocessing operation is at least one of automated through apost-processing algorithm and a crowd-sourced operation using aplurality of users in which a turing test is applied to determine averacity of an input, wherein a device pairing algorithm is used inwhich a cookie data associated with a web page visited by the userstored on a browser on a client device is paired with the networkeddevice when the client device is communicatively coupled with thenetworked device, wherein a transitive public IP matching algorithm isutilized in which at least one of the client device and the networkeddevice communicates each public IP address with any paired entity to thecapture infrastructure, and wherein a tag that is unconstrained from asame-origin policy is used to automatically load the advertisement inthe browser, wherein the tag is at least one of an image tag, a frame, aiframe, and a script tag.
 18. The method of claim 17 further comprising:accessing a pairing server when processing an identification dataassociated with a sandbox reachable service of the networked device thatshares a public address with a client device, wherein the pairing serverperforms a discovery lookup of any device that has announced that itshares the public address associated with the client device, and whereinthe sandbox reachable service announces itself to the pairing serverprior to the establishment of the communication session between thesandboxed application and the sandbox reachable service, appending aheader of a hypertext transfer protocol to permit the networked deviceto communicate with the sandboxed application as a permitted origindomain through a Cross-origin resource sharing (CORS) algorithm, whereinthe header is either one of a origin header when the CORS algorithm isapplied and a referrer header in an alternate algorithm, and wherein theclient device to operate in at least one manner such that the clientdevice: to process an identification data associated with the sandboxreachable service sharing a public address with the client device; todetermine a private address pair of the sandbox reachable service basedon the identification data; and to establish a communication sessionbetween the sandboxed application and the sandbox reachable serviceusing a cross-site scripting technique of a security sandbox.
 19. Themethod of claim 18 wherein the client device: to extend a securitysandbox with a discovery algorithm and a relay algorithm through thediscovery module and the relay module added to the security sandbox; andto bypass a paring server having the discovery algorithm and the relayalgorithm when establishing the communication between the sandboxedapplication and the sandbox reachable service when the security isextended with the discovery algorithm and the relay algorithm throughthe discovery module and the relay module added to the security sandbox.20. The method of claim 19 wherein the client device: to apply thediscovery algorithm of the security sandbox to determine that thenetworked device having the sandbox reachable service communicates in ashared network common to the client device and the networked device; andto apply the relay algorithm of the security sandbox to establish thecommunication between the sandboxed application and the sandboxreachable service of the networked device.
 21. The method of claim 20:wherein the discovery algorithm utilizes a protocol comprising at leastone of a Bonjour* protocol, a SSDP protocol, a LSD uTorrent® protocol, amulticast protocol, an anycast protocol, and another Local Area Network(LAN) based protocol that discovers services in a LAN based on abroadcast from any one of an operating system service, the securitysandbox, the client device, the sandbox reachable service, and thenetworked device.
 22. The method of claim 21: wherein a cookieassociated with the security sandbox is used to store a remote accesstoken on a storage of the client device, wherein the remote access tokenidentifies at least one of a set of communicable private InternetProtocol (IP) addresses and hardware addresses associated with sandboxreachable services that previously operated on a common shared networkwith the client device, and wherein the client device can communicatewith the sandbox reachable services that previously operated on thecommon shared network through the remote access token.
 23. The method ofclaim 22: wherein the client device and the networked device reside onnetworks that are incommunicable with each other comprising at least oneof a firewall separation, a different network separation, a physicalseparation, an unreachable connection separation, and wherein thesandboxed application of the security sandbox of the client device andthe sandbox reachable service of the networked device communicate witheach other through a relay service employed by the pairing server havingthe discovery module and the relay module to facilitate a trustedcommunication between the sandboxed application and the sandboxreachable service.
 24. The method of claim 23: wherein the trustedcommunication is facilitated in a manner such that the sandboxedapplication never learns at least one of a private IP address and ahardware address of the networked device when: a first Network AddressTranslator (NAT) device coupled with a network on which the clientdevice operates to receives communications from a public IP address of adifferent network on which the sandbox reachable service operates, andwherein a second NAT device coupled with the different network on whichthe networked device operates to translates the private IP address ofthe networked device to the public IP address visible to the sandboxedapplication.
 25. The method of claim 24: wherein the networked devicecomprises a plurality of sandbox reachable applications including thesandbox reachable application, and wherein a service agent module of thenetworked device coordinates communications with the discovery module ofat least one of the security sandbox and the pairing server, wherein thesecurity sandbox is at least one of an operating system on which thesandboxed application is hosted and a browser application of theoperating system, and wherein the networked device is at least one of atelevision, a projection screen, a multimedia display, a touchscreendisplay, an audio device, a weather measurement device, a trafficmonitoring device, a status update device, a global positioning device,a geospatial estimation device, a tracking device, a bidirectionalcommunication device, a unicast device, a broadcast device, and amultidimensional visual presentation device.
 26. The method of claim 25wherein the client device: to utilize at least one of a WebSocket and along polling service message query interface to reduce a latency ofmessage delivery during the trusted communication between the sandboxedapplication and the sandbox reachable service; and to optimize a pollingperiod between polling such that it is less than a timeout period of asession through the relay service.
 27. The method of claim 26 whereinthe client device: to initiate the relay service through at least one ofa series of web pages where information is communicated using hyperlinksthat point at the pairing server, and a form having a confirmationdialog that is submitted back to the pairing server, and wherein aglobal unique identifier is masked through the pairing server when theconfirmation dialog is served from the pairing server.
 28. The method ofclaim 18 wherein the client device: to access a pairing server whenprocessing the identification data associated with the sandbox reachableservice sharing the public address with the client device, wherein thepairing server performs a discovery lookup of any devices that haveannounced that they share the public address associated with the clientdevice, and wherein the sandbox reachable service announces itself tothe pairing server prior to the establishment of the communicationsession between the sandboxed application and the sandbox reachableservice.
 29. The method of claim 28 further comprising at least one of:announcing an availability of the sandbox reachable service across arange of public addresses such that the sandboxed applicationcommunicates with the sandbox reachable service in any one of the rangeof the public addresses; and communicating at least one of a globalunique identifier, a hardware address, and an alphanumeric name to thepairing server along with the private address pair of the sandboxreachable service, and wherein the private address pair includes aprivate IP address and a port number associated with the sandboxreachable service.
 30. The method of claim 28 further comprising:eliminating a communication through a centralized infrastructure whenthe sandboxed application and the sandbox reachable service communicatein a shared network common to the client device and the networked devicewhen the communication is established, wherein the shared network is atleast one of a local area network, a multicast network, an anycastnetwork, and a multilan network; minimizing a latency in thecommunication session when the sandboxed application and the sandboxreachable service communicate in the shared network common to the clientdevice and the networked device when the communication is established;and improving privacy in the communication session when the sandboxedapplication and the sandbox reachable service communicate in the sharednetwork common to the client device and the networked device when thecommunication is established.
 31. The method of claim 18: wherein thesandboxed application is at least one of a web page, a script, a binaryexecutable, an intermediate bytecode, an abstract syntax tree, and anexecutable application in a security sandbox, wherein the sandboxedapplication comprises at least one of a markup language application suchas a HyperText Markup Language 5 (HTML5) application, a Javascript®application, an Adobe® Flash® application, a Microsoft® Silverlight®application, a JQuery® application, and an Asynchronous Javascript® anda XML (AJAX) application, and wherein an access control algorithmgoverns a policy through which a secondary authentication is requiredwhen establishing a communication between the sandboxed application andthe networked device.
 32. The method of claim 31 wherein the clientdevice: to utilize an exception to a same origin policy through a use ofat least one of a hyperlink, a form, the script, a frame, a header, andan image when establishing the communication between the sandboxedapplication and the sandbox reachable service.
 33. A system comprising:a networked device and a client device to apply an automatic contentrecognition algorithm to determine a content identifier of anaudio-visual data and to associate the content identifier with anadvertisement data based on a semantic correlation between a meta-dataof the advertisement provided by a content provider and the contentidentifier; and a capture infrastructure to annotate the audio-visualdata with at least one of a brand name and a product name by comparingentries in the master database with at least one of a closed captioningdata of the audio-visual data and through an application of an opticalcharacter recognition algorithm in the audio-visual data; wherein thecontent identifier is at least one of a music identification, an objectidentification, a facial identification, and a voice identification,wherein a minimal functionality comprising accessing at least one of atuner and a stream decoder that identifies at least one of a channel anda content is found in the networked media device, wherein the networkedmedia device produces at least one of an audio fingerprint and a videofingerprint that are communicated with a capture infrastructure, whereinthe capture infrastructure compares at least one of the audiofingerprint and the video fingerprint with a master database, whereinthe capture infrastructure annotates the audio-visual data with a logoname by comparing entries in the master database with a logo data of theaudio-visual data identified using a logo detection algorithm, whereinthe capture infrastructure automatically divides the audio-visual datainto a series of scenes based on a sematic grouping of actions in theaudio-visual data, wherein the audio-visual data is analyzed in advanceof a broadcast to determine content identifiers associated with eachcommercial in the audio-visual data such that advertisements arepre-inserted into the audio-visual data prior to broadcast, wherein thecapture infrastructure applies a time-order algorithm to automaticallymatch advertisements to the audio-visual data when a correlation patternis identified by the capture infrastructure with other audio-visualcontent previously analyzed, wherein the capture infrastructure includesa buffer that is saved to a persistent storage and for which a label isgenerated to facilitate identification of reoccurring sequences, whereina post processing operation is at least one of automated through apost-processing algorithm and a crowd-sourced operation using aplurality of users in which a turing test is applied to determine averacity of an input, wherein a device pairing algorithm is used inwhich a cookie data associated with a web page visited by the userstored on a browser on the client device is paired with the networkedmedia device when the client device is communicatively coupled with thenetworked media device, wherein a transitive public IP matchingalgorithm is utilized in which at least one of the client device and thenetworked media device communicates each public IP address with anypaired entity to the capture infrastructure, and wherein a tag that isunconstrained from a same-origin policy is used to automatically loadthe advertisement m the browser, wherein the tag is at least one of animage tag, a frame, a iframe, and a script tag.
 34. The system of claim33 wherein the client device: to extend the security sandbox with adiscovery algorithm and a relay algorithm through the discovery moduleand a relay module added to the security sandbox, and to bypass a paringserver having the discovery algorithm and the relay algorithm whenestablishing the connection between the sandboxed application and thesandbox reachable service when the security is extended with thediscovery algorithm and the relay algorithm through the discovery moduleand the relay module added to the security sandbox.
 35. The system ofclaim 34 wherein the client device: to apply the discovery algorithm ofthe security sandbox to determine that the networked device having thesandbox reachable service communicates in a shared network common to theclient device and the networked device, and to apply the relay algorithmof the security sandbox to establish the connection between thesandboxed application and the sandbox reachable service of the networkeddevice.
 36. The system of claim 35: wherein the discovery algorithmutilizes a protocol comprising at least one of a Bonjour* protocol, aSSDP protocol, a LSD uTorrent® protocol, a multicast protocol, ananycast protocol, and another Local Area Network (LAN) based protocolthat discovers services in a LAN based on a broadcast from any one of anoperating system service, the security sandbox, the client device, thesandbox reachable service, and the networked device.
 37. The system ofclaim 36: wherein a cookie associated with the security sandbox is usedto store a remote access token on a storage of the client device,wherein the remote access token identifies at least one of a set ofcommunicable private Internet Protocol (IP) addresses and hardwareaddresses associated with sandbox reachable services that previouslyoperated on a common shared network with the client device, and whereinthe client device can communicate with the sandbox reachable servicesthat previously operated on the common shared network through the remoteaccess token.
 38. The system of claim 37: wherein the client device andthe networked device reside on networks that are incommunicable witheach other comprising at least one of a firewall separation, a differentnetwork separation, a physical separation, an unreachable connectionseparation, and wherein the sandboxed application of the securitysandbox of the client device and the sandbox reachable service of thenetworked device communicate with each other through a relay serviceemployed by the pairing server having the discovery module and the relaymodule to facilitate a trusted communication between the sandboxedapplication and the sandbox reachable service.
 39. The system of claim38: wherein the trusted communication is facilitated in a manner suchthat the sandboxed application never learns at least one of a private IPaddress and a hardware address of the networked device when: a firstNetwork Address Translator (NAT) device coupled with a network on whichthe client device operates to receives communications from a public IPaddress of a different network on which the sandbox reachable serviceoperates, and wherein a second NAT device coupled with the differentnetwork on which the networked device operates to translates the privateIP address of the networked device to the public IP address visible tothe sandboxed application.
 40. The system of claim 39: wherein thenetworked device comprises a plurality of sandbox reachable applicationsincluding the sandbox reachable application, and wherein a service agentmodule of the networked device coordinates communications with thediscovery module of at least one of the security sandbox and the pairingserver, wherein the security sandbox is at least one of an operatingsystem on which the sandboxed application is hosted and a browserapplication of the operating system, and wherein the networked device isat least one of a television, a projection screen, a multimedia display,a touchscreen display, an audio device, a weather measurement device, atraffic monitoring device, a status update device, a global positioningdevice, a geospatial estimation device, a tracking device, abidirectional communication device, a unicast device, a broadcastdevice, and a multidimensional visual presentation device.
 41. Thesystem of claim 40 wherein the client device: to utilize at least one ofa WebSocket and a long polling service message query interface to reducea latency of message delivery during the trusted communication betweenthe sandboxed application and the sandbox reachable service, and tooptimize a polling period between polling such that it is less than atimeout period of a session through the relay service.
 42. The system ofclaim 41 wherein the client device: to initiate the relay servicethrough at least one of a series of web pages where information iscommunicated using hyperlinks that point at the pairing server, and aform having a confirmation dialog that is submitted back to the pairingserver, and wherein a global unique identifier is masked through thepairing server when the confirmation dialog is served from the pairingserver.
 43. The system of claim 33 wherein the client device: to accessa pairing server when processing the identification data associated withthe sandbox reachable service sharing the public address with the clientdevice, wherein the pairing server performs a discovery lookup of anydevice that have announced that they share the public address associatedwith the client device, and wherein the sandbox reachable serviceannounces itself to the pairing server prior to the establishment of thecommunication session between the sandboxed application and the sandboxreachable service.
 44. The system of claim 43 wherein the networkeddevice to at least one of: announce a sandbox reachable service of thenetworked device to a discovery module using a processor and memory,announce an availability of the sandbox reachable service across a rangeof public addresses such that the sandboxed application communicateswith the sandbox reachable service in any one of the range of the publicaddresses, communicate at least one of a global unique identifier and analphanumeric name to the pairing server along with at least one of ahardware address associated with the networked device, a public addresspair associated with a sandbox reachable service of the networkeddevice, and a private address pair associated with the sandbox reachableservice of the networked device, and wherein the private address pairincludes a private IP address and a port number associated with thesandbox reachable service.
 45. The system of claim 44 wherein the clientdevice: to eliminate a communication through a centralizedinfrastructure when the sandboxed application and the sandbox reachableservice communicate in a shared network common to the client device andthe networked device when the connection is established, wherein theshared network is at least one of a local area network, a multicastnetwork, an anycast network, and a multilan network; to minimize alatency in the communication session when the sandboxed application andthe sandbox reachable service communicate in the shared network commonto the client device and the networked device when the connection isestablished; and to improve privacy in the communication session whenthe sandboxed application and the sandbox reachable service communicatein the shared network common to the client device and the networkeddevice when the connection is established.
 46. The system of claim 33:wherein the sandboxed application is at least one of a web page, ascript, a binary executable, an intermediate bytecode, an abstractsyntax tree, and an executable application in the security sandbox,wherein the sandboxed application comprises at least one of a markuplanguage application such as a HyperText Markup Language 5 (HTML5)application, a Javascript® application, an Adobe® Flash® application, aMicrosoft® Silverlight® application, a JQuery® application, and anAsynchronous Javascript® and a XML (AJAX) application, and wherein anaccess control algorithm governs a policy through which a secondaryauthentication is required when establishing a communication between thesandboxed application and the networked device.
 47. The system of claim46 wherein the client device: to utilize an exception to a same originpolicy through a use of at least one of a hyperlink, a form, the script,a frame, a header, and an image when establishing the connection betweenthe sandboxed application and the sandbox reachable service.
 48. Thesystem of claim 33: wherein the communication session is established byappending a header of a hypertext transfer protocol to permit thenetworked device to communicate with the sandboxed application as apermitted origin domain through a Cross-origin resource sharing (CORS)algorithm, wherein the header is either one of a origin header when theCORS algorithm is applied and a referrer header in an alternatealgorithm.